McAfee HISCDE-AB-IA Product Guide - Page 143

IIS - Start, New Process: Pid

Get McAfee HISCDE-AB-IA - Host Intrusion Prevention PDF manuals and user guides View all McAfee HISCDE-AB-IA manuals
Add to My Manuals
Save this manual to your list of manuals

Page 143 highlights

Appendix B - Troubleshooting Host IPS logs When the log_rotate_size_kb specified size has been exceeded, the file is closed and renamed with the suffix .1. If a file with that name already exists, the suffix is incremented by one. When the specified number of backup files is reached, the oldest is deleted. NOTE: When collecting data for incidents escalated to McAfee Support, we strongly recommend that the debug_enabled registry value be created and set to 1. This registry value logs all Host and Network IPS events to HIPShield.log, regardless of the Log Status setting under signature properties. Be sure to stop the service, delete old log files, restart the service, and perform the reproduction. This minimizes the size of the log files. What are things to look for in HipShield.log? A run of the Host IPS component begins with a banner statement that identifies the build run and the date/time stamp of the session. Each entry of the HipShield log shows a date/time stamp, followed by an indication as to whether this data is informational, debugging, or error. The data contained in the HipShield is ad-hoc, and differs between portions of the Host IPS component. Key areas of interest: • Lines beginning with In install modules new describe the copying of files as part of the start of the Host IPS component. Failure to copy these files prevents the Host IPS component from starting. • A line beginning with Scrutinizer initialized successfully indicates that loading of the Host IPS component has been successful up through the initialization of the Scrutinizer, which depends on the above-mentioned files having been copied properly. • A line beginning with New Process: Pid= indicates the Host IPS component is able to monitor process creation. • A line beginning with IIS - Start indicates that IIS monitoring is beginning. • A line beginning with Scrutinizer started successfully ACTIVATED status indicates that the Scrutinizer has successfully started. • A line beginning with Hooking xxx indicates that process hooking is proceeding. The number xxx indicates the PID (process ID) of the process being hooked. • A series of lines beginning with Processing Buffer xxx.scn is reporting the results of the Scanner processing of scanfile xxx.scn, where xxx is a name like EnterceptMgmtServer, as shown above. Errors in the Scanners processing of scan files are reported here. • Lines in the format signature=111 level=2, log=True report that an individual signature has been loaded. The signature ID and level are included along with an indication of whether logging is enabled for this signature. NOTE: Shield.db and except.db are created in the same directory as the logs only when debugging is enabled. These files contain a dump of the rules and exceptions that are sent to the kernel after the AgentNT.dll has processed the content. Which log files are associated with the firewall component? The primary log files for the Firewall component and what they contain: Name FireSvc.log Description Main service log Contains this data • Debug level logging • Location matching output • TrustedSource connection rating output • Errors/warnings McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5 143

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
When the log_rotate_size_kb specified size has been exceeded, the file is closed and renamed
with the suffix
.1
. If a file with that name already exists, the suffix is incremented by one. When
the specified number of backup files is reached, the oldest is deleted.
NOTE:
When collecting data for incidents escalated to McAfee Support, we strongly recommend
that the
debug_enabled
registry value be created and set to 1. This registry value logs all
Host and Network IPS events to HIPShield.log, regardless of the Log Status setting under
signature properties. Be sure to stop the service, delete old log files, restart the service, and
perform the reproduction. This minimizes the size of the log files.
What are things to look for in HipShield.log?
A run of the Host IPS component begins with a banner statement that identifies the build run
and the date/time stamp of the session. Each entry of the HipShield log shows a date/time
stamp, followed by an indication as to whether this data is informational, debugging, or error.
The data contained in the HipShield is ad-hoc, and differs between portions of the Host IPS
component.
Key areas of interest:
Lines beginning with
In install modules new
describe the copying of files as part of the
start of the Host IPS component. Failure to copy these files prevents the Host IPS component
from starting.
A line beginning with
Scrutinizer initialized successfully
indicates that loading of the
Host IPS component has been successful up through the initialization of the Scrutinizer,
which depends on the above-mentioned files having been copied properly.
A line beginning with
New Process: Pid=
indicates the Host IPS component is able to
monitor process creation.
A line beginning with
IIS - Start
indicates that IIS monitoring is beginning.
A line beginning with
Scrutinizer started successfully ACTIVATED status
indicates
that the Scrutinizer has successfully started.
A line beginning with
Hooking xxx
indicates that process hooking is proceeding. The number
xxx indicates the PID (process ID) of the process being hooked.
A series of lines beginning with
Processing Buffer xxx.scn
is reporting the results of the
Scanner processing of scanfile
xxx.scn
, where
xxx
is a name like
EnterceptMgmtServer
,
as shown above. Errors in the Scanners processing of scan files are reported here.
Lines in the format
signature=111 level=2, log=True
report that an individual signature
has been loaded. The signature ID and level are included along with an indication of whether
logging is enabled for this signature.
NOTE:
Shield.db
and
except.db
are created in the same directory as the logs only when
debugging is enabled. These files contain a dump of the rules and exceptions that are sent to
the kernel after the AgentNT.dll has processed the content.
Which log files are associated with the firewall component?
The primary log files for the Firewall component and what they contain:
Contains this data
Description
Name
Main service log
FireSvc.log
Debug level logging
Location matching output
TrustedSource connection rating output
Errors/warnings
Appendix B — Troubleshooting
Host IPS logs
143
McAfee Host Intrusion Prevention 8.0 Product Guide for ePolicy Orchestrator 4.5